I'm building a repository where Teachers ans sutendts will post their academical work. I need a way to make each teacher (role: editor) responsable to moderate and aprove their students (role: author) content.
There is a way to links these kind of user relation?
Not really in users directly, as there is no such relation as "User owning users".
Roles is the way to go if the groups not change too much, but you are going to need to define a different role to group students for every teacher, and properly getting out of that role students no more assigned to that teacher.
It could be more easier to maintain two roles, teachers and students, and with user_meta validate if the student is currently overseen by the teacher and therefore is able to handle student's posts.
The specifics are very difficult to write down here unless you have already defined how do you want to proceed. The plugin recommended in the first comment requires no code but maintenance by hand of roles for every user.
Related
I am designing a database for a language learning center. I have 3 subjects to manage: admin, teacher and student.
Admin can assign the role to the other 2 objects
The teacher has the role of posting instructions on the website
Students can register for the course and pay
Should I create a teacher and a student table in the database? If so - how should I design them? Otherwise how should I manage just one user object?
I designed the AppUser class to inherit the identity user class, the student and teacher classes inherit from the AppUser class, is that a good approach?
A better solution is to create a teacher and a student table in the database. Because their roles are completely different, this can separate their respective businesses completely. Reduce the complexity of design.
Create a login page, you can provide a drop-down list for users to choose their own roles, query the database according to the user's role, and then fill the user and the user's role to identity to achieve authentication.
The question for how to handle this comes down to first separating logic into the "Can do" and "has a" bins.
If your objects have unique relationships, (Lets say Teachers have several Table relations unique to them), then you want to use different tables for them.
If however you can simplify the relations enough that they can be functionally the same (IE both Teachers and Students will have a Classroom relation, which though it means something different for them, can be re-used as the same column for both), then you want to instead handle this difference via Roles.
Roles allow you to apply authorization to various parts of your website.
It might also be best practice to do both of the above.
When handling "multi user type" style interfaces, you typically will need to be careful about selecting how you register users. Do you want to do it via invitation emails/codes? Or perhaps Administrators create the users by hand and there is no form of registration at all?
You can use AspNetRoles table. And bind it to AspNetUsers table. You don't need to create teacher and students table.
There will be an "Account" which can be a "Customer" or a "Supplier", or both. It has to be one of them at-least.
I am wanting to use Class Table Inheritance but I'm unsure whether I will be able to have an Account that can be both a Customer and a Supplier.
Can anyone confirm?
I would appreciate any help.
I don't think STI is the right choice for your problem since it's more like a many-to-many relationship.
You're question is a little too broad to give you exact answer. Depending on your need you may have a few options.
For example, if being Customer/Supplier means to have additional data, it would be better to make them a separate entities with relationship to the Account. So in your app, you would recognize if an Account is a Customer or Supplier by checking if appropriate related entity exist. So it you could explain it as
An Account can have Customer or Supplier profile
o something like this, instead of
Account can be a Customer or Supplier
Other solution would be to treat it as a simple ACL, where Account is a subject, and Customer and Supplier are roles.
I'ts hard to provide more detailed answer to your question.
I am using FOSUserBundle in my Symfony2 project.
My goal is to make the teams consist with multiple users. Users are invites by administrator (owner) by e-mail confirmation.
If a user belongs to one team, can't set up new accounts using the same address. Of course, each user should have the opportunity to unsubscribe from the team.
Are there any ready-made solutions? I looked for Groups With FOSUserBundle.
Or do you have any good advice?
You were right, groups can be a good ready-to-use solution to make your logic.
The association is already setup and it's also easy to extend.
The documentation (now part of Symfony's doc) contains a great guide to use groups.
Of course, you can make your own entity, take example from the FOSUB User->Group logic (association) .
You should see the Security and Roles part of the documentation to manage authorisations of your different kind of users.
You can assign roles to your different groups, and make your users directly inherit the roles of their group for manage access permissions.
For the confirmation email, see the corresponding documentation too .
And for the unsubscribing, just remove the association between the user you want remove from a Group and the Group (or Team).
This is also part of the association, see the doctrine documentation.
Good use.
I am trying to understand access control based on RBAC model. I referred to the following link.
NIST RBAC Data Model
I haven't understood this part clearly as mentioned in the excerpt -
*"Each session is a mapping of one user to possibly many roles, i.e., a user establishes a session during which the user activates some subset of roles that he or she is assigned. Each session is associated with a single user and each user is associated with one or more sessions. The function session_roles gives us the roles activated by the session and the function user_sessions gives us the set of sessions that are associated with a user. The permissions available to the user are the permissions assigned to the roles that are activated across all the user.s sessions."*
Question - How can session be used to activate roles ? The relationship between the user / group and roles are inserted as admin data. So, how does session activate subset of roles for a user ?
P.S -> I asked this question earlier here but without an answer. May be this question is too basic to ask but I am keen to understand it. Any use case or a link will definitely be helpful.
Thanks for your time.
In RBAC, administrators give permissions by assigning them to roles, and in addition by assigning roles to users. As you know, for a user to be able to use a particular permission, he will have to have been assigned at least one role that provides said solution.
So each user has a set of roles assigned to him. During a session, he can choose to activate (or deactivate) any of these roles, but no other. The activated roles determine which permissions are available to the user at a given time during the session. This is useful, for example, for dynamic separation of duty constraints, where two roles A and B can be assigned to the same user U, but can't be used together. Therefore, if U wants to use A, he will have to deactivate B before activating A.
From my experience in implementing RBAC, I pretty much avoided using dynamic management of multi-sessions.
At first it sounded like a pretty neat and flexible idea, but as you questioned on who activates/deactivates roles (and when), I realized the complexity and security risks wasn't worth the effort (my personal opinion).
The important thing to understand here and for which #Imontriux (above) mentioned:
"This is useful, for example, for dynamic separation of duty
constraints, where two roles A and B can be assigned to the same user
U, but can't be used together. Therefore, if U wants to use A, he will
have to deactivate B before activating A."
Most of the time, there are separation of duty constraints that must apply and in order to honour this, I simply chose to only have/manage one valid session per user at a time. If a user wants to authenticate under different set of roles, he/she is responsible in logging out and logging back in.
It pretty much simplified a lot of my code. It was a compromise I chose and could easily live with.
Hi Stack Community Members,
I am developing an application under MVC3 where users have department-specific CRUD privileges. In other words, all users can view data for all departments, but only certain users can make changes to the data for any one given department. User-department privilege data is held in a join table in a database.
What I typically do in this kind of situation (in PHP) is to create a Session variable (an array) on login which is populated with the id's of the departments which the user is allowed to edit. When a user then goes to access the editing feature a drop-down list is populated with only these specific departments. I also populate a few other session variables which are used frequently like the user's name and the id of the current time period (business quarter).
Is this type of approach a good way to go in MVC3, or is some alternative approach better? While I figure that I'm going to use Forms Authentication and some specific roles (employee, admin, etc.) these types of roles are just too broad to be able to target department-by-department access, and I'm not sure that MVC3 has an out-of-the-box method which is better than what I'm planning to do.
Your guidance is appreciated!
I'm using Forms Authentication, add specific roles, and combine them if needed. I don't mind being specific for the roles, as they can be combined anyway I want. I can still have broad roles for more general actions.
I store similar data (UserId, DepartmentId, etc) in session since it does not change for the user and it is a small amount of data. It is my opinion that session state would be a good approach for you also.